Full platform security
The Unplugged Engine builds on the proven encryption and security features provided by the underlying mobile platforms and devices. The Unplugged Replicator is a Domino database, deployed on a Domino server. The user initiating replication needs to provide a username and internet password to connect to the Unplugged Replicator. This only needs to be done in the initial setup. The replication process then runs as that user. This means that full platform security is in effect during replication, guaranteeing that only data the user is authorized to see will be replicated onto the mobile device. Similarly changes made on the device will be written back to the server only if the user has the necessary permissions.
Unplugged Engine stores data on the device in an iOS partition reserved for the Unplugged apps. This is encrypted by the Unplugged Engine, using hardware-based AES 256 bit/3DES encryption. This is the same encryption that Apple use for encrypting mail on the iOS device. To maximise the degree of protection offered by this native hardware-based encryption, we recommend that our customers enforce a policy where users implement a Settings - General - Passcode - Simple Pascode = Off and users use a passcode of at least 8 characters/numbers.
In contrast to Unplugged, regular HTML5 mobile web apps use the SQL Lite embedded database on the device. Currently, it is not possible to encrypt SQL Lite data to the same strong standards as the Unplugged Engine data.
The Unplugged mobile database engine communicates with the data synchronizer via a standard HTTP connection. If you choose to have the data synchronizer visible from outside the firewall then you should secure the connection using HTTPS. The server hosting the data synchronizer can be configured to require HTTPS and reject unencrypted HTTP connections. The most secure option is to host the data synchronizer behind a firewall and then use the device’s VPN support to create an encrypted channel between the mobile device and the internal network.
The Unplugged mobile database engine communicates with the data synchronizer via a standard HTTP connection. This connection is automatically encrypted and routed via the BlackBerry Enterprise Server (BES). Thus Unplugged enjoys the same level of security as the core BlackBerry mail infrastructure.
The Unplugged Engine always encrypts the user’s credentials on the device, using BlackBerry encryption APIs. If data is stored on the SD Card (the default) then the BlackBerry administrator can enforce encryption. The BlackBerry OS does not have built-in encryption for data stored in device memory, so we recommend using an SD Card for maximum security.